windows 7 image engineering

UNCLASSIFIED

Windows 7

Image Engineering

DIMEI

System Build and Configuration Overview

Document identifier

DMI-D 012 identificateur du document issue date

2013-05-06 date de diffusion version version

1.03 OPI BPR

designator désignation

group / DIMEI 2 groupe /

Division ADM(IM) / DGIMT division

Objective: To describe the general build process for the Windows 7 Image.

UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview

Version 1.03 released 2013-05-06

of 31 UNCLASSIFIED

Disclaimer

This document is updated periodically to reflect the current baseline configuration. For the schedule of updates, refer to the Windows 7 Life Cycle Support Plan.

MAKE SURE YOU HAVE THE LATEST UPDATED DOCUMENT.



of 31 UNCLASSIFIED

Release History

Ser (a)

Date Released

(b)

Version (c)

Amendment (d)

Author (e)

1 2013-01-11 1.01 Initial draft Jason Parent

2 2013-04-26 1.02 Edits Sheri Salami

3 2013-05-06 1.03 Edits Maria Shkolnik



of 31 UNCLASSIFIED

Table of Contents

1. System-Wide Design Decisions .......................................................................................................... 5

1.1 Operating System .................................................................................................................... 5 1.1.1 OS Features & Components ................................................................................... 5

1.2 Installed Software ................................................................................................................... 9 1.3 Security ................................................................................................................................... 9

1.3.1 Department of National Defence Configuration Baseline ..................................... 9 1.4 Storage .................................................................................................................................. 11

1.4.1 Folder Redirection ................................................................................................ 11 1.4.2 Roaming Profiles .................................................................................................. 12

2. Detailed System Architecture ........................................................................................................... 15

2.1 Security ................................................................................................................................. 15 2.1.1 Windows Firewall ................................................................................................ 15

2.2 Client Experience .................................................................................................................. 16 2.2.1 Visual Appearance ............................................................................................... 16 2.2.2 User Functionality ................................................................................................ 19

2.3 Core Applications ................................................................................................................. 23 2.3.1 The 2010 Office System....................................................................................... 24 2.3.2 Symantec Endpoint Protection 11 ........................................................................ 25 2.3.3 Cisco Security Agent............................................................................................ 25 2.3.4 Sun Java Virtual Machine .................................................................................... 26 2.3.5 Adobe Reader ....................................................................................................... 26 2.3.6 Adobe Flash Player .............................................................................................. 26 2.3.7 Regional Settings and Keyboard Selection .......................................................... 27

3. Set Network Registry Key ................................................................................................................ 28

Appendix A: USGCB Configuration Spreadsheet .................................................................................... 29

Appendix B: Windows 7 Image Core Components & Software............................................................... 30



of 31 UNCLASSIFIED

1. System-Wide Design Decisions

1.1 Operating System

1.1.1 OS Features & Components

The following table outlines the proposed configuration and highlights where it deviates from default:

Table 1-1: Games

Games Description Default State

DND/CF State

Games The Games included with Windows 7. N Y Inbox Games N Y Chess N Y FreeCell N Y Hearts N Y Internet Games N N Minesweeper N Y More Games N Y Purble Palace N Y Shanghai N Y Solitaire N Y Spider Solitaire N Y

Table 1-2: Windows 7 Features & Services

Windows Feature Description Default State

DND/CF State

Indexing Service Starting with Windows Vista, the content indexer was replaced with Windows Search indexer, which is enabled by default. The old context indexer services are still included with Windows 7 but are not installed or running by default.

N N

Internet Explorer 8 Y Y IIS The Microsoft Internet Information Services (IIS)

component provides a Web application infrastructure for all versions of Windows.

N N

FTP Server N N FTP Extensibility N N FTP Service N N

Web Management Tools N N IIS 6 Management Compatibility:

N N

IIS 6 Management Console N N IIS 6 Scripting Tools N N IIS 6 WMI Compatibility N N IIS Metabase and IIS 6 configuration compatibility

N N



of 31 UNCLASSIFIED


DND/CF State

IIS Management Console N N IIS Management Scripts and Tools

N N

IIS Management Service N N World Wide Web Services N N

Application Development Features:

N N

.NET Extensibility N N Active Server Pages (ASP) N N ASP .NET N N Common Gateway Interface (CGI)

N N

Internet Server API (ISAPI) Extensions

N N

ISAPI Filters N N Server-Side Includes N N Common HTTP Features: N N Default Document N N Directory Browsing N N HTTP Errors N N HTTP Redirection N N Static Content N N WebDAV Publishing N N Health and Diagnostics: N N Custom Logging N N HTTP Logging N N Logging Tools N N Open Database Connectivity (ODBC) Logging

N N

Request Monitor N N Tracing N N Performance Features: N N Dynamic Content Compression N N Static Content Compression N N Security: N N Basic Authentication N N Client Certificate Mapping Authentication

N N

Digest Authentication N N IIS Client Certificate Mapping Authentication

N N

IP Security (IPSec) N N Request Filtering N N URL Authorization N N Windows Authentication N N

IIS Hostable Web Core N N Media Features Y Y



of 31 UNCLASSIFIED


DND/CF State

Windows DVD Maker Y Y Windows Media Center Y Y Windows Media Player Y Y Microsoft .NET Framework:3.5.1

The .NET framework is a collection of managed code APIs for presentation, communication, and workflow.

* *

Windows Communication Foundation HTTP Activation

N N

Windows XP Communication Foundation non-HTTP Activation

N N

MSMQ Server Microsoft Message Queuing (MSMQ) enables applications running at different times to communicate across heterogeneous networks and systems that many be temporarily offline.

N N

MSMQ Server Core N N MSMQ Active Directory Domain Services Integration

N N

MSMQ HTTP Support N N MSMQ Triggers N N Multicasting Support N N MSMQ DCOM Proxy N N

Print and Document Services The Print Services component manages printers and printing within Windows 7.

* *

Internet Printing client Y N LPD Print Service N N LPR Port Monitor N N Scan Management N N Windows Fax and Scan Y Y RAS Connection Manager Administration Kit (CMAK)

N N

RIP Listener This component handles the Remote Access Service (RAS) IP Routing Information Protocol (RIP).

N N

Services for NFS Network File System (NFS) is a protocol developed by the Internet Engineering Task Force (IETF) and used for connection to an NFS share.

N N

Administrative Tools N N Client for NFS N N Simple TCP/IP Services (e.g. echo, daytime)

N N

SNMP Feature Simple Network Management Protocol (SNMP) is an application-layer protocol that facilitates the exchange of management information between network devices.

N N

WMI SNMP Provider N N Subsystem for UNIX-based Applications

SUA provides compatibility with UNIX-based applications.

N N

Tablet PC Components This component adds or removes accessories such as Tablet PC Input Panel, Windows Journal, and Snipping Tool as well as features such as handwriting recognizers.

Y Y

Telnet Client This component is the client for the terminal emulation program for TCP/IP networks.

N N



of 31 UNCLASSIFIED


DND/CF State

Telnet Server This component is the server for the terminal emulation program for TCP/IP networks.

N N

TFTP Client Trivial File Transfer Protocol (TFTP) is a simple form of FTP that has no security features.

N N

Windows Gadget Platform Y Y Windows Process Activation Service:

This service manages application pools and worker processes for both HTTP and non-HTTP requests.

N N

Microsoft .NET Environment N N Configuration APIs N N Process Model N N Windows Search Y Y Windows TIFF iFilter N N XPS Services Y Y XPS Viewer Y Y

Component selection will be accomplished by manipulating the unattend.xml file for the OS from within the MDT 2012 console using the Windows System Image Manager (WSIM) tool included with Windows Assessment and Deployment kit (ADK).

The section to be added is as follows:

• Catalog Root Packages

o Foundation • x86_Microsoft-Windows-Foundation-Package_6.1.7600.16385_

OR

• Catalog Root Packages

o Foundation • amd64_Microsoft-Windows-Foundation-Package_6.1.7600.16385_

The settings to be updated are:

• InBoxGames = Enabled Chess = Enabled FreeCell = Enabled Hearts = Enabled Internet Games = Disabled

o Internet Backgammon = Disabled o Internet Checkers = Disabled o Internet Spades = Disabled

Minesweeper = Enabled More Games = Enabled PurblePlace = Enabled Shanghai = Enabled Solitaire = Enabled



of 31 UNCLASSIFIED

Spider Solitaire = Enabled • Printing-Foundation-Features = Enabled Printing-Foundation-InternetPrinting-Client = Disabled

1.2 Installed Software

The following components and software programs will be included (pre-installed) in the Windows 7 master image for all Domains:

Table 1-3: Windows 7 Master Image Components – Core Components added during MDT (Phase 1)

Software Version Comments

Microsoft Windows Enterprise Edition

Windows 7 SP1 (Build 7601)

Windows 7 will be produced in x86 and x64 images.

DND Environment Variables

DND Workstation Tools 4.0

Microsoft .NET Framework 4.0 Already approved & in use on DWAN. No update required. Revision included in stated OS revision level.

MS PowerShell 3.0

VC++ 2005 redistributable

VC++ 2008 Redistributable

VC++ 2010 Redistributable

Microsoft Office Professional Plus Edition

2010 SP1 32bit Version

Sun Java Virtual Machine 6 r 27 Already approved/in use on DWAN & CSNI

Adobe Reader 9.4 Already approved/in use on DWAN & CSNI

Adobe Flash Player 10 Already approved/in use on DWAN & CNSI

K-Lite Codec Pack 5.90 Already approved/in use on DWAN & CNSI

Microsoft Visio Viewer 2010 Already approved/in use on DWAN & CNSI

Multi-lingual User Interface English and French-language MUI

Note: For a list of core software not common to all domains added to SCCM OSD Task Sequence, please refer to Appendix B: Windows 7 Image Core Components & Software.

Please note that the above list is what is current to the Windows 7 RC-3 image. This could change in future releases of the image.

1.3 Security

1.3.1 Department of National Defence Configuration Baseline

The following set of GPOs are an example of what had been implemented on the DWAN:

Table 1-5: DNDCB Group Policy Objects

Policy type DND Name Comments



of 31 UNCLASSIFIED

Policy type DND Name Comments User policies

IMG-DND-U-Win7-NDMSitePrepLogonScript

Scoped to apply only to the NDMNationalWin7SitePrep security group

IMG-DND-U-Win7-NDMUserEnvironment

scoped to apply only to the security group NDMWin7UserEnvFolderRedirection security group

IMG-DND-U-DNDCB-IE8-User IMG-DND-U-DNDCB-Win7-User IMG-DND-U-Win7 Core Application Settings 1.0-User

IMG-DND-U-Win7 Office 2010 Settings-User

IMG-DND-U-Win7 Windows Media Player 12-User

Computer policies IMG-DND-W-DNDCB-IE8-Computer

IE 8 configuration

IMG-DND-W-DNDCB-Win7-AppPortControl

IMG-DND-W-DNDCB-Win7-Computer

Computer Configuration – Policy Logon Message & Dialog Title USGCB settings overrides (table 9) Windows Firewall turned on, pass-through mode Computer Configuration – Preferences Local Administrators group membership User Configuration – Preferences: Screen Saver default selection Presentation settings Disable configuration of wireless setting using Windows Connect Now Disables interactive logon while deployment in progress

IMG-DND-W-DNDCB-Win7-Computer-Energy

IMG-DND-W-DNDCB-Win7-Core Application Settings 1.0-Computer

Adobe Reader 9.2 DND configuration Microsoft Silverlight 3.0 configuration Sun JRE 1.6.0_17 configuration

IMG-DND-W-DNDCB-Win7 Office 2010 Settings-Computer

Office 2010 configuration

IMG-DND-W-DNDCB-Win7 Windows Media Player 12-Computer

Media Player 12 configuration

IMG-DND-W-DNDCB-Win7-AppLocker Exceptions

IMG-DND-W-Win7-Computer Event Forwarding

IMG-DND-W-Win7-NDMNationalComputerManagers

All standard USGCB settings will be adopted, with the exception of three particular configuration items which will be slightly relaxed due to anticipated application compatibility issues in DND’s environment. These differences are highlighted in the DNDCB:

Table 1-6: DND Overrides to USGCB Settings

Setting USGCB Recommendation GPO Path Registry Value Network security: Do not store LAN Manager hash

Enabled Disabled Computer Configuration\Windows

MACHINE\System\CurrentControlSet\



of 31 UNCLASSIFIED

Setting USGCB Recommendation GPO Path Registry Value value on next password change

Turning off LM will likely cause problems when authenticating to non-MS applications

Settings\Security Settings\Local Policies\Security Options

Control\Lsa\NoLMHash

Network security: LAN Manager authentication level

Send NTLMv2 Response only. Refuse LM and NTLM

2. Send LM and NTLM - use NTLMv2 session security if negotiated Same reason as above

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

Require NTLMv2 session security, Require 128 bit encryption

Require 128 bit encryption

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec

There is an additional NIST USGCB policy, USGCB v1.0 Q1 2009 Windows Firewall Settings, which will not be included as this functionality is provided by SEP-11.

See Appendix A for an exhaustive listing of the USGCB security settings.

1.4 Storage

1.4.1 Folder Redirection

Folder Redirection is configured in Group Policy under User Configuration under the following path:

[Group Policy Object Name]\User Configuration\Policies\Windows Settings\Folder Redirection

Folder redirection will be implemented for the following applicable folders

Table 3- Folder Redirection:

Folder DWAN-Physical

DWAN-Mobile CSNI-Physical CSNI-VHD

AppData

Contacts

Desktop

Documents

Downloads

Favorites

Links

Music

Pictures

Saved Games

Searches



of 31 UNCLASSIFIED

Folder DWAN-Physical

DWAN-Mobile CSNI-Physical CSNI-VHD

Videos

(NEED TO CONFIGURE DWAN ACCORDINGLY):

• AppData FOLDER REDIRECTED • Contacts FOLDER REDIRECTED • Documents FOLDER REDIRECTED • Favorites FOLDER REDIRECTED • Links FOLDER REDIRECTED FOR VHD (NEED TO INVESTIGATE SCENARIO WHERE A PERSON SWITCHES BACK AND

FORTH BETWEEN THIN AND THICK CLIENTS) (NEED TO CONFIGURE VHD ACCORDINGLY):

• AppData FOLDER REDIRECTED • Contacts FOLDER REDIRECTED • Desktop FOLDER REDIRECTED • Documents FOLDER REDIRECTED • Downloads FOLDER REDIRECTED • Favorites FOLDER REDIRECTED • Links FOLDER REDIRECTED • Music FOLDER REDIRECTED • Pictures FOLDER REDIRECTED • Saved Games FOLDER REDIRECTED • Searches FOLDER REDIRECTED • Videos FOLDER REDIRECTED

1.4.2 Roaming Profiles

Incompatibilities between Windows XP and Windows 7 include the following:

Table 1-8: Profile Folder Structure Changes - v1 & v2 Profiles

Configuration Item

Windows XP (v1 profile) Windows 7 (v2 profile)

AppData N/A C:\Users\%UserName%\AppData Application Data C:\Documents and

Settings\%UserName%\Application Data C:\Users\%UserName%\AppData\Roaming



of 31 UNCLASSIFIED

Configuration Item

Windows XP (v1 profile) Windows 7 (v2 profile)

Contacts N/A C:\Users\%UserName%\Contacts Cookies C:\Documents and

Settings\%UserName%\Cookies C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\Cookies

Desktop C:\Documents and Settings\%UserName%\Desktop

C:\Users\%UserName%\Desktop

Documents C:\Documents and Settings\%UserName%\My Documents

C:\Users\%UserName%\Documents

Downloads N/A C:\Users\%UserName%\Downloads Favorites C:\Documents and

Settings\%UserName%\Favorites C:\Users\%UserName%\Favorites

Links N/A C:\Users\%UserName%\Links Local Settings C:\Documents and

Settings\%UserName%\Local Settings N/A

C:\Documents and Settings\%UserName%\Local Settings\Application Data

C:\Users\%UserName%\AppData\Local

C:\Documents and Settings\%UserName%\Local Settings\History

C:\Users\%UserName%\AppData\Local\Microsoft\ Windows\History

C:\Documents and Settings\%UserName%\Local Settings\Temp

C:\Users\%UserName%\AppData\Local\Temp

C:\Documents and Settings\%UserName%\Local Settings\Temporary Internet Files

C:\Users\%UserName%\AppData\Local\Microsoft\ Windows\temporary Internet Files

Music C:\Documents and Settings\%UserName%\My Music

C:\Users\%UserName%\Music

My Recent Documents

C:\Documents and Settings\%UserName%\Recent

C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\Recent

NetHood C:\Documents and Settings\%UserName%\NetHood

C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\Network Shortcuts

Pictures C:\Documents and Settings\%UserName%\My Pictures

C:\Users\%UserName%\Pictures

PrintHood C:\Documents and Settings\%UserName%\PrintHood

C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\Printer Shortcuts

Saved Games N/A C:\Users\%UserName%\Saved Games Searches N/A C:\Users\%UserName%\Searches SendTo C:\Documents and

Settings\%UserName%\SendTo C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\SendTo

Start Menu C:\Documents and Settings\%UserName%\Start Menu

C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\Start Menu

Templates C:\Documents and Settings\%UserName%\Templates

C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\Templates

Videos C:\Documents and Settings\%UserName%\My Videos

C:\Users\%UserName%\Videos

PB_Loc PB_Backup_Sauvegarde

PB_user_manage_usager

In addition, the following folders are also changed:

• All Users profile changes to Public



of 31 UNCLASSIFIED

• Recycle Bin moves into the profile, enabling per-user delete and restore

Figure 1: Windows 7 v2 Profile Folder Structure



of 31 UNCLASSIFIED

2. Detailed System Architecture Existing IS Services Used

• Standard DWAN and CSNI networking services (DNS, DHCP, proxies, firewalls etc.) • Active Directory • Symantec Endpoint Protection (SEP) 11 • Microsoft Exchange e-mail services • DVPNI (Nortel Contivity)

New or Updated IS Services Used (Some of these do not apply to every network)

• Updated: Cisco Security Agent (CSA) 6 • Updated: Configuration Manager 2007 R2 (replaces SMS 2003) • Updated: Public Key Infrastructure (PKI) PKI Certificate Authority: Entrust CA v7.1 SP2 PKI Client: Entrust ESP 9 Outlook Support: ESPo 8 Smartcard Support: Safenet Bordlerless Protection 7.2

IS Services Provided by Subject System

• Desktop computing (general purpose), including e-mail services.

2.1 Security

2.1.1 Windows Firewall

Windows Firewall settings are configured in the GPO “IMG-DND-W-Windows 7 Desktop Settings 1.0”, where the Windows Firewall is set to “On” for all profiles. The following pass-through configuration rules for Windows Firewall are implemented:

• Group Policy Key Path: Computer Configuration / Windows Settings / Security Settings / Windows Firewall with Advanced Security / Windows Firewall with Advanced Security

Domain Profile

o Windows Firewall: On

o Inbound connections that do not match a rule are allowed

o Outbound connections that do not match a rule are allowed

Private Profile




Public Profile



of 31 UNCLASSIFIED




• Inbound Rules: Name: Allow All

Action: Allow Connection

Programs & Services: All

Protocols & Ports: Any Protocol, All Local & Remote Ports

Scope: Any Local or Remote IP Subnet

Profiles & Interfaces: All

• Outbound Rules: Name: Allow All

Action: Allow Connection

Programs & Services: All

Protocols & Ports: Any Protocol, All Local & Remote Ports

Scope: Any Local or Remote IP Subnet

Profiles & Interfaces: All

Important The Windows Firewall must not be disabled by stopping the service. If the Windows Firewall with Advanced Security service is turned off, other benefits provided by the service are also lost, such as the ability to use Internet Protocol security (IPsec) connection security rules, Windows Service Hardening, and network protection from attacks that employ network fingerprinting. Non-Microsoft firewall software that is compatible with Windows 7 and Windows Server 2008 can programmatically disable only the parts of Windows Firewall with Advanced Security that need to be disabled for compatibility. The SEP 11 client automatically accomplishes this. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.

2.2 Client Experience

2.2.1 Visual Appearance

As a result, the following settings will be enabled for all users who have the Windows Aero user experience (default):

• Dynamic Scaling for Windows • Windows Flip • Windows Flip 3D • Live Taskbar thumbnails



of 31 UNCLASSIFIED

Users whose computers are set to the Windows 7 Basic (or Windows Classic) user experience will not get these features. The default “Windows 7” visual theme will be applied.

Table 2-1: Windows 7 Default Themes

Theme Name Theme Type Configuration Item

Setting Description

Windows 7 Aero Glass Background Harmony File Name: Img0.jpg

Windows Color Sky

Sounds Windows Default

Screen Saver None Managed by GPO The resulting settings are:

• Screen Saver: Blank • Timeout: 15 Minutes • Password on Resume:

Yes

Windows 7 Basic Basic & High Contrast

Background Harmony File Name: Img0.jpg

Windows Color Windows 7 Basic


Screen Saver None

Windows Classic Basic & High Contrast

Background Solid Color Background Colour: Blue

Windows Color Windows Classic


Screen Saver None

2.2.1.1 Screen Saver This configuration is controlled by the following GPOs (note that the settings shown here are valid only as of the time of writing):

• IMG-DND-U-DNDCB-Win7-User – Windows 7 Additional Settings (User Configuration / Policy)

Enable Screen Saver

Password-Protect Screen Saver

Screen Saver Timeout: 900 seconds (15 minutes)

• IMG-DND-W-Windows 7 Desktop Settings 1.0 (User Configuration / Preference) Assigns a default Screen Saver of “Blank” (SCRNSAVE.SCR) if none selected.

o Item-Level Targeting: If Registry Value “HKCU\Control Panel\Display\SCRNSAVE.EXE” (REG_SZ) does not exist

o Refresh this setting regularly



of 31 UNCLASSIFIED

2.2.1.2 Start Menu

The Start menu can be customized using domain-based Group Policy objects (GPOs) according to business requirements. (The Windows 7 Image Start menu will remain in its default configuration, as we expect desired customizations to come to light during the Pilot process).

From the Start Menu, users have quick access to their most frequently used applications, folders, and tools. The top of the left side is the Pin To area. Users can right-click program icons, and then click Pin To Start Menu. From then on, the icon will be displayed in this area.

The bottom portion of the left side displays the applications that users most commonly run. This area of the menu is dynamically built based on application usage patterns. At the very bottom of the left pane, the All Programs option displays the All Programs menu.

The top of the right side shows commonly used folders for quick access. The bottom of the right side displays commonly required utilities, such as Control Panel and Help.

Figure 2: Windows 7 Start Menu

The Start menu can be configured using the interface shown in Figure 2. These default settings reinforce the new Windows 7 experience for the user. They will remain entirely user-configurable, as these settings do not have any security implications.

Figure 2: Windows 7 Start Menu Properties



of 31 UNCLASSIFIED

2.2.2 User Functionality

2.2.2.1 User Profiles

In addition to the user registry, the following directories make up a user’s profile:

• AppData: Default location for user application data and binaries (hidden by default)

• Contacts: Default location for the user’s contacts

• Desktop: Desktop items, including files and shortcuts

• Documents: Default location of all user-created documents

• Downloads: Default location to save all downloaded content

• Favorites: Internet Explorer Favorites

• Links: Contains Windows Explorer Favorite links

• Music: Default location for the user’s music files

• Pictures: Default location for the user’s picture files

• Saved Games: Used for saved games

• Searches: Default location for saved searches

• Videos: Default location for the user’s video files The names of the folders and their locations have changed under the profile. Previous versions of user profiles contained a complex folder structure, often including nested folders two and three layers deep. The new folder locations contain fewer nested folders to ease navigation, and the new names are more intuitive to the data contained within them.

Windows Vista and Windows 7 have also changed the Application Data folder structure. Previous user profiles did not logically sort data stored in the Application Data folder, making it difficult to distinguish data that belonged to the computer from data belonging to the user. Windows 7 addresses this issue by creating a single AppData folder under the user profile. The AppData folder contains three subfolders: Roaming, Local, and LocalLow.

Windows uses the Local and LocalLow folders for application data that does not roam with the user. Typically, this data is either computer specific or too large to roam. The AppData\Local folder in Windows 7 is the same as the Documents and Settings\username\Local Settings\Application Data folder in Windows XP.

Windows 7 renames the All Users profile to the Public profile, and the folder structure is the same as all Windows Vista profiles. Windows Explorer will continue to merge specific folders in the Public profile, such as Desktop and the Start menu, with regular user profiles at logon. The Public profile does not have a user registry, because Windows does not load this profile. Therefore, Windows writes all shared settings to the HKEY_LOCAL_MACHINE hive of the registry.

When users log on for the first time to a computer running Windows 7, they do not have a roaming profile in place, so they get a copy of the local default user profile. For this reason, the default user profile will be configured to provide the required look and feel.



of 31 UNCLASSIFIED

The majority of desktop settings will be applied centrally by using Group Policy (or GPP). The settings that the users can change will be initially set using an “Apply once” GPP and/or the Default User profile. For example, to set the system theme to Windows Aero theme but allow users to switch to Windows Classic mode, the Aero theme should be set in the Default User profile or in a GPP. In order to prevent users from changing the view, the Group Policy should be set.

2.2.2.2 Folder Redirection

Windows redirects the local folder to a central location, giving users immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.

In Windows XP, the only folders that Folder Redirection supported were Application Data, Desktop, My Documents, My Pictures, and Start Menu. Heavily used folders such as Favorites and Cookies were not included, so it was still possible for profiles to grow large enough to slow down performance.

Windows Vista and Windows 7 have an improved roaming user experience, leveraging changes in user profiles and Folder Redirection. The user profile folder structure or namespace has changed. Logically divided, the user profile namespace has a distinct separation between user and application data. Folder Redirection returns with the same behavior; however, now you can redirect 10 folders out of the user profile.

Also, the new Folder Redirection Group Policy snap-in allows you to manage Folder Redirection policies for Windows 7, Windows Vista, Windows XP, and Windows 2000. You can create the most efficient roaming user experience when you combine Folder Redirection and Roaming Profiles.

All known folders can be redirected individually (for example, redirect Documents without redirecting Music and Pictures). Redirected folders are not (by default) synchronized, resulting in quicker logon/logoff times.

Redirection of at least the Documents and Desktop folders will be implemented for the following reasons:

• The folders that make user profiles large are typically Documents and Desktop. It is not uncommon for a user to drop 5 MB spreadsheets on their desktops so that they are easy to access, not realising this file will now be copied to the server (in their profile) when they log off. At least if these files are in a redirected Desktop, they are only copied again if the file is changed rather than every time users log on to a different computer.

• By reducing the profile size, the user logon experience will be greatly enhanced.

• If a user logs onto a computer for the first time, not all the files on the Desktop are downloaded to the computer. They are only copied if the files are accessed. Users will see the icons, but their logon will not be degraded by first-time downloads.

• If a user has a redirected desktop, administrative staff can easily see the contents of that desktop by looking in the redirected folder located on the network drive. This helps in the troubleshooting process.

• If the Desktop folder is redirected to a user’s home share, quotas will apply to the desktop data. This deters users from littering their desktops with excessive amounts of large files.

• Documents are the default location for data files from Microsoft Office and many other applications. If left as default, this folder is part of the Roaming Profile.

The folders will be redirected to the same file servers that the current Windows XP users’ folders are redirected to.



of 31 UNCLASSIFIED

Table 2-2: Folder Redirection Group Policy Configuration

Policy Path Policy Setting Setting Value Setting Configuration User Configuration / Policies / Windows Settings / Folder Redirection / AppData (Roaming)

Setting Not Configured

No Folder redirection

Basic Create a Folder for each User under the root path

Root Path Advanced Existing Group Names

Create a Folder for each User under the root path Root Path: TBD

User Configuration / Policies / Windows Settings / Folder Redirection / Desktop






User Configuration / Policies / Windows Settings / Folder Redirection / Start Menu






User Configuration / Policies / Windows Settings / Folder Redirection / Documents






User Configuration / Policies / Windows Settings / Folder Redirection / Pictures

Settings Not Configured





User Configuration / Policies / Windows Settings / Folder Redirection / Music






User Configuration / Policies / Windows Settings / Folder



Basic Create a Folder for each User under the



of 31 UNCLASSIFIED

Policy Path Policy Setting Setting Value Setting Configuration Redirection / Videos root path



User Configuration / Policies / Windows Settings / Folder Redirection / Favorites






User Configuration / Policies / Windows Settings / Folder Redirection / Contacts






User Configuration / Policies / Windows Settings / Folder Redirection / Downloads






User Configuration / Policies / Windows Settings / Folder Redirection / Links






User Configuration / Policies / Windows Settings / Folder Redirection / Searches






User Configuration / Policies / Windows Settings / Folder Redirection / Saved Games





Create a Folder for each User under the root path



of 31 UNCLASSIFIED

Policy Path Policy Setting Setting Value Setting Configuration Root Path: TBD

2.2.2.3 Roaming Profiles

Changes to how Roaming Profiles are handled in Windows 7 and changes to Group Policy Roaming Profile settings for Windows 7 include:

• Roaming folder: Windows 7 uses the Roaming folder for application-specific data, such as custom dictionaries, which are machine independent and should roam with the user profile. The AppData\Roaming folder in Windows 7 is the same as the Documents and Settings\username\Application Data folder in Windows XP.

• Profile size: Group Policy can be used to enforce limits to the size of Roaming Profiles. Earlier versions of Windows prevented users from logging off when the size of their profile exceeded the size in the policy setting. Windows 7 still respects this policy setting; however, it no longer prevents the user from logging off the computer. Windows does not synchronize the user’s profile to the profile server when it exceeds the policy-enabled limit.

• Profile loads: Windows 7 provides little information about the status of loading or unloading Roaming Profiles during user logon and logoff. This lack of information is misleading and may give users the impression that Windows 7 is unresponsive. You can use the computer Group Policy setting “verbose vs. normal status messages” to change this behavior. This changed behavior displays more information about the status of Windows loading and unloading the Roaming Profile during user logon and logoff.

• Profile compatibility: The user profile namespace used in Windows XP is identical to that used in Microsoft Windows 2000, making interoperability between the operating systems transparent. However, the significant changes in the Windows 7 profile namespace creates a challenge. These significant changes prevent Windows 7 from loading user profiles from previous versions of Windows. Also, previous versions of Windows do not load Windows 7 user profiles. Therefore, Windows 7 Roaming Profiles will add “v2” to the end of the profile folder. The “v2” is used to isolate Windows 7 Roaming Profiles from those created by previous operating systems.

• Handle termination: Under Windows 7, applications that do not release handles to the registry hives during logoff now have their handles terminated to allow synchronization. This stops the situation under Windows XP where applications could delay profile synchronization at logoff or could prevent successful synchronization in some cases.

2.3 Core Applications

Core applications are applications or utilities that are used enterprise-wide and will be included in the master image deployed to all client computers:

• Office 2010 Professional Plus • SEP-11 • CSA



of 31 UNCLASSIFIED

• Java Virtual Machine • Adobe Reader • Adobe Flash • K-Lite codec Pack • Microsoft Silverlight • .NET Framework 4 • Multi-lingual User interface (English and French-language MUI) • Microsoft Visio viewer • DND Environment Variables • DND Workstation Tools • MS PowerShell 3.0 • VC++ redistributables

Note that Group Policy Preferences Client-Side Extensions (CSEs), previously included in Windows Vista images is already a part of Windows 7.

2.3.1 The 2010 Office System

Table 2-3: Office Installation Information Category Information

Version Microsoft Office 2010, SP1 Professional Plus Edition. Rationale Latest commercial release of the Microsoft Office System client software. Upgrade of

existing Office 2003 implementation at DND. Installed components

The following components will be installed as part of the Office 2010 SP1 Professional Plus deployment: • Word • Excel • PowerPoint • Outlook • Access • InfoPath • Publisher • OneNote • Microsoft Office 2010 Tools

Service packs & Updates

The image build will be updated quarterly with the current approved patches including office patches. Interim patches will be delivered via System Center Configuration Manager. Please refer to the National Desktop Management (NDM) support page for the list of applied patches to the reference image.

Configuration Management

All Office 2010 configuration settings that are covered by a Group Policy Template (ADMX) will be managed via GPO. Other settings deemed necessary to configure by DND, but not covered by GPO will be configured via GPP (Group Policy Preference) as per DIMEI 2-4.

Installation Method Silent install during the image creation process in the Deployment Workbench. Setup Command Setup.exe

http://img.mil.ca/nls-snn/lcp-gcv/support-soutien-eng.asp



of 31 UNCLASSIFIED

2.3.1.1 2010 Office System Look and Feel

The 2010 Office system has a completely new UI for Microsoft Office Word®, Excel®, and PowerPoint® applications, with the traditional menu bar replaced by the Ribbon UI. The redesign makes the whole user experience more intuitive, graphical, and contextualized by completely rationalizing the interface. In addition, new features are available within the products, such as the new Microsoft SmartArt™ graphical features that users of previous versions will not be familiar with.

2.3.1.2 Office Open XML Formats

The new Office Open XML Formats are a departure from the binary format used in previous versions of Microsoft Office and are based on Extensible Markup Language (XML) technology. Although these formats provide many benefits, managing the conversion to the new Office Open XML Formats may be required. The Office File Converter (OFC) Pack, which is available for Microsoft Office 2000 and later, allows users of earlier Microsoft Office versions to view and edit documents saved in the new file format.

In terms of co-existence, users must understand which capabilities are tied to the 2010 Office system—for example, users of Microsoft Office 2000 cannot modify SmartArt graphics.

Considering the limited scope of the internal pilot (50 users), a Group Policy Object (GPO) will be created to configure the Office applications (Word, Excel and PowerPoint) to save their files in the legacy binary formats (the same format natively used by Office 2003) by default.

2.3.2 Symantec Endpoint Protection 11

Table 2-4: SEP11 Installation Information Category Information Version Symantec Endpoint Protection v11 Release Update 5 (RU5) Rationale SEP 11 is the DND-standard anti-malware and host protection suite, which must be

present on all Windows-based desktop and laptop computers. Installed Components

This list of installed components is based on current DND SEP 11 documentation for DNET Windows XP. • Core services • Anti-virus services • Network Threat Protection • Network Access Control

Service packs & Updates

As defined by DIMEI 2

Configuration Management

SEP 11 clients are centrally managed with a policy server. Policy is defined by DIMEI 2.

Installation Method Installation source is cached locally (C:\LocalSource\SEP) during image creation process. Silent install from local source during the image deployment process. This is done to ensure that SEP doesn’t interfere with the image creation and deployment processes.

2.3.3 Cisco Security Agent

Table 2-5: CSA Installation Information Category Information Version Cisco Security Agent



of 31 UNCLASSIFIED

Category Information Rationale CSA 6.0 is an integral component to iAccess and the desktop security and is required

to function with the Windows 7 OS. Installed Components Client components Service packs & Updates

As defined by DIMEI 2

Configuration Management CSA is centrally managed with a policy server. Policy is defined by DIMEI 2.

Installation Method Installation source is cached locally (C:\LocalSource\CSA) during image creation process. Silent install from local source during the image deployment process. This is done to ensure that SEP doesn’t interfere with the image creation and deployment processes.

2.3.4 Sun Java Virtual Machine

Table 2-6: Java Virtual Machine Installation Information Category Information Version Java Runtime Rationale For application support and enhanced browsing capability Installed Components Vendor components Service packs & Updates

Delivered via SMS

Configuration Management As per DIMEI 2.

Installation Method Silent install during the image creation process in the Deployment Workbench.

2.3.5 Adobe Reader

Table 2-7: Adobe Reader Installation Information Category Information Version Adobe Reader Rationale DND standard for viewing PDF-formatted documents. Installed Components Full Installation (No Google Toolbar) Service packs & Updates

Delivered via SMS

Configuration Management As per DIMEI 2.


2.3.6 Adobe Flash Player

Table 2-8: Adobe Flash Player Installation Information Category Information Version Adobe Flash Player Rationale Enhance the user’s Internet browsing experience. Installed Components Full Installation (No Google Toolbar) Service packs & Updates

Delivered Via SMS



of 31 UNCLASSIFIED

Category Information Configuration Management As per DIMEI 2


2.3.7 Regional Settings and Keyboard Selection

The regional settings allow system configuration for the language, date, time, and keyboard formats that users require.

The default regional settings will be set as follows:

• Current Format: English (Canada) • Current Location: (Canada) • Default Input Language: English (Canada) – US • Installed Keyboards: English (Canada) US Canadian French

• Language Bar: Docked in the Taskbar • Language Toggle: Left Alt + Shift Move to build Doc!



of 31 UNCLASSIFIED

3. Set Network Registry Key This is a Run command Line with the following for x64 and x86 respectively:

reg add HKLM\SOFTWARE\Wow6432Node\NDM /v Network /t REG_DWORD /d 1

reg add HKLM\SOFTWARE\Policies\NDM /v Network /t REG_DWORD /d 1

We set the registry for the network key to 1 for DNet and 2 for ComdNet, and this is done via a GPO. However, during deployment, the GPO does not set this quickly enough for the applications that require it in the task sequence (i.e CSA) therefore this registry poke is required as the first step in the Install Software group of the task sequence.



of 31 UNCLASSIFIED

Appendix A: USGCB Configuration Spreadsheet For the detailed DND GPO settings, please consult the DNDCB-GPO-settings SharePoint website.

http://img-ggi.mil.ca/nls-snn/lcp-gcv/support-soutien-eng.asp?RootFolder=/sites/DIMEI2/NDM/Shared%20Documents/Windows%207%20Configuration&FolderCTID=&View=%7bE0BAB16D-D928-4E4D-B7F3-8179AB6D8BDF%7d



of 31 UNCLASSIFIED

Appendix B: Windows 7 Image Core Components & Software At the time of writing, the components and software programs in the table below were installed through SCCM task sequence to complete the Windows 7 image. Core components added to Windows 7 as part of the Phase 1 MDT reference image creation are covered in section 2.3.

Note: Updates will be captured in the Windows 7 Image Creation SOP



of 31 UNCLASSIFIED

Table B-1: Windows 7 Image Components – Non-Core Components task-sequenced using SCCM

Software Version Comments DWAN CSNI Physical/ Persistent

CSNI VHD

Symantec Endpoint Protection 11 (SEP-11)

11 RU5 Since SEP-11 interferes with OSD, it is only copied to a local source location on the image. At the end of deployment, SEP-11 is installed from the local source. All environment-specific versions of the client will be stored in the local source.

Microsoft Configuration Manager Client

2007 The Configuration Manager client is delivered at deployment time to help reduce the number of managed images by half (unmanaged versus production). The application is installed as part of the MDT Deployment Point (LTI) or the Configuration Manager Task Sequence.

Entrust Entelligence Security Provider

9+ Already approved/in use on DWAN Entrust ESPo 8 Plug for Outlook and SafeNet

Borderless Protection CSA 6 Since CSA 6 interferes with OSD, it is

only copied to a local source location on the image. At the end of deployment, CSA 6 is installed from the local source. All environment-specific versions of the client will be stored in the local source.

SAC SafeNet Authentication Client SAFE DND SCCM Set Cache Size 1.0

Already approved/in use on DWAN & CSNI

TerraGo Toolbar Already approved/in use on CSNI Google Earth Plugin Already approved/in use on CSNI Titus Already approved/in use on CSNI NetBanner Already approved/in use on CSNI VmWare View Agent Permits PCoIP connectivity to virtual

desktop VMWare Tools Additional Device drivers/tools to

support virtual machines Set Network Registry Key Set the registry for the network key to

1 for DNet and 2 for ComdNet